FrSIRT pulls exploits from site

Window Snyder | March 22nd, 2006 | Filed Under: Disclosure, Industry Punditry

From the FrSIRT site:

In conformity with applicable French laws prohibiting Full-disclosure, the FrSIRT will no longer distribute exploits and PoCs on its public web site. Public exploits section has thus been definitively closed. Exploits and PoCs are available to FrSIRT VNS™ subscribers only.

Something tells me this is more about driving dollars to the FrSIRT service than conforming to the law that was passed in 2004.

Back in April of 2004 K-Otik Staff (now FrSIRT) posted to bugtraq:

A new anti-security law was voted yesterday in France, this law called LEN (loi pour la confiance dans l’économie numérique), the article 34 with his 323-3-1 says : “The fact, without legitimate reason, of holding, of offering, of yielding or of placing at the disposal equipment, instrument, a data-processing or program conceived or especially adapted to make the facts envisaged by articles 323-1 to 323-3 is punished sorrows planned respectively for the infringement itself or the infringement most severely repressed.” Translation : - having or distributing exploit code and/or detailed vulnerability information and/or information about hacking techniques, is ILLEGAL. - having or distributing hacking/security tools, scanners, pen testers, or technical white papers is ILLEGAL. - magazines and websites distributing security information about vulnerabilities or exploits are ILLEGAL. pathetic !

followed by:

Send us our “green cards” - thanks !

Guess they wont be needing those now that they’ve found a way to cash in on this law, two years later.

So what has French law taught us? Exploits are bad. The public should be protected from exploits or bad people will use them to do bad things. If K-Otik hosts a site that freely allows people to download exploits then they are bad, bad, bad.

Proof-of-concept code is good. Good security professionals that pay good money to belong to good clubs should have access to proof-of-concept code so they can use it to do good things. If K-Otik changes their name to FrSIRT (which sounds much more respectable) and calls exploits proof-of-concept code and sells them to “security professionals,” then they are offering the world a valuable service. Got it.

As a certain l0pht guy was fond of saying… “We’re not selling out, we’re cashing in.” If K-Otik/FrSIRT can turn an unreasonable French law into euros then good for them.

Articles on this here and here.